Vulnerability Development mailing list archives
RE: controlling ebp/eip of a frame, does it always lead to possible code execution?
From: "Fisch, Matthew" <mfisch () kaz com>
Date: Fri, 19 Sep 2003 13:06:42 -0400
Ingram, I may be mistaken, but I think I remember some people on the FreeBSD dev team talking about how their sshd was not vulnerable to this arbitrary code execution attack (although sshd was crashable). I don't recall if there was a change in their openssh code, or an OS restriction. -----Original Message----- From: Ingram [mailto:Vail () gmx net] Sent: Thursday, September 18, 2003 1:45 PM To: vuln-dev () securityfocus com Cc: pondermate () hotmail com Subject: Re: controlling ebp/eip of a frame, does it always lead to possible code execution? deepcode . wrote:
By the looks of it, you are doing everything right. Your overwritten return
address points directly to your nop's. The shellcode should be executed. What OS are you on, you may have aditional stack protections on the system to prevent standard overflows, particularly redhat 9 (shrike), which i'm using now, will prevent this: not sure exactly how yet ...
*doh*, sorry forgot to mention the os, i am running freebsd 4.8 without any stack protections. -- +++ GMX - die erste Adresse für Mail, Message, More! +++ Getestet von Stiftung Warentest: GMX FreeMail (GUT), GMX ProMail (GUT) (Heft 9/03 - 23 e-mail-Tarife: 6 gut, 12 befriedigend, 5 ausreichend) Jetzt selbst kostenlos testen: http://www.gmx.net
Current thread:
- controlling ebp/eip of a frame, does it always lead to possible code execution? Ingram (Sep 18)
- Re: controlling ebp/eip of a frame, does it always lead to possible code execution? Steven Hill (Sep 19)
- <Possible follow-ups>
- Re: controlling ebp/eip of a frame, does it always lead to possible code execution? Ingram (Sep 18)
- Re: controlling ebp/eip of a frame, does it always lead to possible code execution? deepcode . (Sep 18)
- RE: controlling ebp/eip of a frame, does it always lead to possible code execution? Fisch, Matthew (Sep 22)